System, method and program for authentication and access control

ABSTRACT

System, method and program for managing a production server. An authentication server sends to the production server via a network a group password for a GroupID to access a file in the production server. A user at a workstation sends via a network to the authentication server an individual UserID and corresponding individual password for the user and a request for the group password for the GroupID to access a file in the production server protected by the group password. In response, the authentication server authenticates the individual UserID with the corresponding individual password and returns to the workstation the group password for the GroupID. After receiving the group password from the authentication server, the user at the workstation sends via a network to the production server the group password and GroupID and a request to access the file in the production server protected by the group password. In response, the production server authenticates the GroupID with the group password and grants the user access to the file.

FIELD OF THE INVENTION

The invention relates generally to computer systems, and morespecifically to authentication and access control.

BACKGROUND OF THE INVENTION

Before allowing a person to access a sensitive computer system orapplication (and the data it manages), it is well known and common forthe computer system or application to authenticate the person and if theperson is authentic, check whether the person is authorized to accessthe computer system or application. Typically, authentication is basedon a valid combination of User ID and password provided by the person.Typically, authorization is based on an Access Control List maintainedby the computer system or application. The Access Control List lists theUser IDs which are authorized to access the computer system orapplication (and the data it manages).

Different applications and files within a computer system may requiredifferent “levels” of access. The highest level of access to the mostsensitive applications and files is typically called “root” access (oradministrator access). Typically, root access is reserved foradministrators, and allows the administrators to execute the mostsensitive applications and change the most sensitive files. Examples ofapplications that typically require root access are mount, passwd.Examples of files that typically require root access are /etc/passwd,/etc/group, /etc/shadow. Users typically have the lowest level ofaccess, called “user” access, and this allows the user to use lesssensitive applications and access less sensitive files. In some cases,root access is required to change a file, such as a /etc/fs or/etc/passwd configuration file, but user access is sufficient to readthe same file.

Some Ds and passwords are created and used by respective individuals.Other Ds and passwords are assigned to and used by a group of people.Most security policies require that passwords be changed periodically,such as every six months. This limits unauthorized exposure of thesensitive application or file if a hacker learns a valid combination ofUser ID and password of an authorized person or group. In the case ofindividual User IDs and individual passwords associated with respectiveindividuals, the user changes his or her password periodically asrequired by the security policy. In the case of a “group” User ID andpassword, it is common for one person in the group to periodicallychange the password, according to the security policy.

It was known to allow a person to obtain a new password for a system orapplication before expiration of the current password by the personentering the person's current password.

It was known to allow a person to obtain a new password for a system orapplication after expiration of the current password by the personentering the person's expired password.

It was known to allow a person to obtain a new password after expirationof the current password by the person entering a User ID and theauthentication system sending the new, system generated password to ane-mail address previously registered for the User ID. Next, the personcan enter the system-generated password along with a newperson-generated password to substitute the person-generated passwordfor the system-generated password.

Often, the person forgets the person's current or expired password. Insuch a case, it was known to allow such a person to reset the person'scurrent or expired password by a challenge/response process. In thisprocess, an authentication program poses a series of challenges orquestions to the person, such as requests for the person's mother'smaiden name, the name of the street where the person grew up, etc., inaddition to the person's User ID. (The person provided the answers tothe challenges or questions upon original registration.) If the personanswers the questions properly, then the system allows the person toobtain a new password for the current User ID. A typicalchallenge/response process to obtain a new password is not as secure asrequiring the current or expired password to obtain a new password. Thisis because the typical challenges/responses, while not widely known, arenot secret and are not protected as secrets.

As explained above, in the case of a group User ID and group password,typically one person in the group (a “super administrator”) changes thegroup password periodically (by furnishing the current or expiredpassword for authentication) as required by the security policy. For alarge computer system with a large number of computers, applications andfiles, there may be a large number of administrators (up to onehundred), each requiring root access. In such a case, each time thegroup password is changed, the person who changed the group passwordsends the group password electronically (such as by e-mail) to eachadministrator, and each administrator typically makes a record of thenew password. There have been difficulties in ensuring that eachadministrator (a) receives the new group password, and (b) if received,retains a copy of the password in a secure manner.

An object of the present invention is to better control distribution ofgroup passwords to authorized users.

SUMMARY OF THE INVENTION

The present invention resides in a system, method and program formanaging a production server. An authentication server sends to theproduction server via a network a group password for a GroupID to accessa file in the production server. A user at a workstation sends via anetwork to the authentication server an individual UserID andcorresponding individual password for the user and a request for thegroup password for the GroupID to access a file in the production serverprotected by the group password. In response, the authentication serverauthenticates the individual UserID with the corresponding individualpassword and returns to the workstation the group password for theGroupID. After receiving the group password from the authenticationserver, the user at the workstation sends via a network to theproduction server the group password and GroupID and a request to accessthe file in the production server protected by the group password. Inresponse, the production server authenticates the GroupID with the grouppassword and grants the user access to the file.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 is a block diagram of a computer system in which the presentinvention is implemented.

FIGS. 2(A) and 2(B) form a flow chart of function and operation ofvarious programs within computers of FIG. 1, according to the presentinvention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The present invention will now be described in detail with reference tothe figures. FIG. 1 illustrates a distributed computer system generaldesignated 10 which includes the present invention. Distributed computersystem 10 includes a central authentication server 20 with a known CPU21, operating system 22, RAM 23 and ROM 24 on a common bus 25 andstorage 26. Authentication server 20 also includes a table 31 of validcombinations of Group IDs and corresponding group passwords. Forexample, one of the Group IDs is “Administrator Team” for root access toa sensitive application or data file 48 a such as mount program inrespective production server 40 a. Authentication server 20 alsoincludes a table 32 of valid combinations of (individual) UserIDs andcorresponding individual passwords. Authentication server 20 alsoincludes a password management program 30 to authenticate individualUserIDs and corresponding individual passwords and if authentic, furnisha group password for a GroupID if the UserID is so authorized.

Distributed computer system 10 also includes a multiplicity of similarproduction servers (or other computers) 40 a,b,c,d. Production servers40 a,b,c,d include respective CPUs, operating systems, RAM, ROM oncommon buses and storage such as CPU 41 a, operating system 42 a, RAM 43a, and ROM 44 a on common buses 45 a and storage 46 a in productionservers 40 a,b,c,d. Each of the production servers includes one or moresensitive application or data files such as file 48 a. Each of theproduction servers 40 a,b,c,d includes a respective, knownauthentication and authorization program such as program 141 a inproduction server 40 a, a table such as table 39 a in production server40 a of valid combinations of Group IDs and corresponding grouppasswords, and an access control list such as access control list 49 ain production server 40 a of identities of files and authorizations byGroupID to access the corresponding file. In addition, authenticationand authorization program 141 a (and the corresponding authenticationand authorization programs in production servers 40 b,c,d) periodicallyrequests from authentication server 20 the current GroupID for eachprotected file such as file 48 a. Alternately, authentication server 20initiates sending of updates to the GroupID for each file, whenever theGroupID is changed at the authentication server 20.

Authentication server 20 also includes password management program 30,according to the present invention, to periodically generate a new,valid group password for a corresponding Group ID and provide the grouppassword to production servers (or other computers) 40 a,b,c,d for groupaccess to respective sensitive files in the production servers such asfile 48 a in production server 40 a. Password management program 30 canperiodically generate the new password automatically or periodicallyprompt an authorized user (such as an administrator or network securitycompliance officer) to enter a new group password. Server 20 includes atable 33 which includes a record of one or more challenges andcorresponding correct responses for each User ID. Typically, thechallenge and correct response for each individual User ID is a requestfor the individual password and the corresponding individual password.After successfully providing the correct individual password for theUserID from a user workstation 50 a,b,c,d, password management program30 can provide to the individual user at the user workstation 50a,b,c,d, the new valid group password, assuming the UserID isauthorized. With this new, valid group password (and knowledge of theGroup ID), the individual user from workstation 50 a,b,c,d can log-on,i.e. be authenticated to, the production servers 40 a,b,c,d to accessthe respective sensitive files in production servers 40 a,b,c,d.

Distributed computer system 10 also includes a multiplicity of the userworkstations 50 a,b,c,d through which respective users such as user 59 aof workstation 50 a (such as administrators for the production servers50 a,b,c,d) initially request access to authentication server 20 (toobtain the current group password for the production servers 50a,b,c,d). User workstations 50 a,b,c,d include respective CPUs,operating systems, RAM, ROM on common buses and storage such as CPU 51a, operating system 52 a, RAM 53 a, and ROM 54 a on common buses 55 aand storage 56 a in workstation 50 a. User workstations 50 a,b,c,d alsoinclude respective password request program such as password requestprogram 58 a in workstation 50 a according to the present invention bywhich the respective administrator requests a new root access or othergroup password based on the user's current (individual) User ID andcorresponding individual password.

Authentication server 20, production servers 40 a,b,c,d and userworkstations 50 a,b,c,d are all interconnected by a network 60 such asthe Internet, wide area network, local area network, etc.

FIGS. 2(A) and 2(B) illustrate function and operation of program 30 inauthentication server 20, program 141 a in production server 40 a andprogram 58 a within workstation 50 a in system 10 in more detail.(Analogous processing occurs for users at the other workstations 40b,c,d to obtain a group password from authentication server 20 to accessa sensitive file in any of the production servers 40 a,b,c,d.) Acorporate security compliance officer or network administratorperiodically changes in authentication server 20 the root-access orother group password for a Group ID required to access a sensitive file48 a in production server 40 a (or other computer) (step 100). Thesecurity compliance officer or network administrator changes the grouppassword at authentication server 20 by invoking the password managementprogram 30 and supplying the soon-to-expire group password and GroupIDfor authentication of the security compliance officer or networkadministrator as well as the new group password for the same GroupID.Periodically, each production server 40 a,b,c,d (or other computer)allowing access by a Group ID to a respective sensitive file such asfile 48 a requests from the authentication server 20 the current grouppassword for the Group ID (step 102). Alternately, whenever the securitycompliance officer or network administrator at the authentication server20 changes the group password for the Group ID (or the authenticationserver automatically changes the group password for the GroupID) theauthentication server 20 sends the group password for the Group ID toeach production server (or other computer) 40 a,b,c,d allowing access tothe respective sensitive files in production servers 40 a,b,c,d based onthe Group ID and corresponding group password (step 102). During normaloperation, a user (for example, an administrator for production server40 a) from a user workstation 50 a logs on to authentication server 20based on the user's individual UserID and corresponding(individual's/user's) password (step 106). In response, the passwordmanagement program 30 in authentication server 20 attempts toauthenticate the individual UserID and corresponding individual/userpassword by reference to table 32 (step 110). If the user's individualpassword is valid for the UserID (decision 110, yes branch), then theuser specifies a Group ID and requests the current root-access or othergroup password for the Group ID for access to a sensitive file 48 a inproduction server 40 a (or other computer) (step 114). (Alternately, theuser can request the group password concurrent with the request in step106 to log on to the authentication server based on the UserID andcorresponding individual/user password.) In response to the request forthe group password, the password management program 30 in authenticationserver 20 determines if the individual UserID is authorized to receivethe group password for the GroupID by reference to an access list 34(decision 120). If so (decision 120, yes branch), then authenticationserver 20 returns to the user at user workstation 50 a the grouppassword for the Group ID for access to the sensitive file 48 a inproduction server 40 a (or other computer) (step 130). The user thenattempts to log on to the production server 40 a (or other computers)with the Group ID and corresponding group password (step 140). Inresponse, password authentication and authorization program 141 a in theproduction server 40 a determines based on table 39 a if the combinationof GroupID and group password are valid. i.e. is the user authentic(decision 150). If so (decision 150, yes branch), then the user requestsaccess to the sensitive file (step 152). In response, passwordauthentication and authorization program 141 a in the production server40 a determines based on table 43 a if the GroupID is authorized toaccess the file requested by the user (decision 154). If so (decision154, yes branch), then password authentication and authorization program141 a grants the user access to the requested file (step 160).(Alternately, step 152 can be performed concurrent with step 140.)

However, if the group password is not valid for the GroupID (decision150, no branch) or the GroupID is not authorized to access the sensitivefile 48 a (decision 154, no branch), then program 141 a does not grantthe user access to the requested file (step 162).

Referring again to decision 120, no branch where the user is notauthorized to receive the group password, then password managementprogram 30 does not return the group password to the user (step 121).

With the foregoing system and process, each administrator/user canacquire the current group password when needed, and need not to keep atangible copy of the group password.

Program 30 can be loaded into authentication server from a computerreadable media 232 such as magnetic tape or disk, optical media, DVD,memory stick, etc. or downloaded from the network 60 via TCP/IP adaptercard 230.

Program 141 a can be loaded into production server 40 a from a computerreadable media 432 a such as magnetic tape or disk, optical media, DVD,memory stick, etc. or downloaded from the network 60 via TCP/IP adaptercard 430 a.

Program 58 a can be loaded into respective user workstation 50 a from acomputer readable media 532 a such as magnetic tape or disk, opticalmedia, DVD, memory stick, etc. or downloaded from the network 60 viaTCP/IP adapter card 530 a.

Based on the foregoing, a system, method and program product forauthentication and access control have been disclosed. However, numerousmodifications and substitutions can be made without deviating from thescope of the present invention. Therefore, the present invention hasbeen disclosed by way of illustration and not limitation, and referenceshould be made to the following claims to determine the scope of thepresent invention.

1. A method for managing a production server, said method comprising thesteps of: an authentication server sending to said production server viaa network a group password for a GroupID to access a file in saidproduction server; a user at a workstation sending via a network to saidauthentication server an individual UserID and corresponding individualpassword for said user and a request for said group password for saidGroupID to access a file in said production server protected by saidgroup password, and in response, said authentication serverauthenticating said individual UserID with said corresponding individualpassword and returning to said workstation said group password for saidGroupID; and after receiving said group password from saidauthentication server, said user at said workstation sending via anetwork to said production server said group password and GroupID and arequest to access said file in said production server protected by saidgroup password, and in response, said production server authenticatingsaid GroupID with said group password and granting said user access tosaid file.
 2. A method as set forth in claim 1 further comprising theprior step of an administrator specifying said group password to saidauthentication server for said GroupID, such that the specified grouppassword replaces a previous group password for said GroupID.
 3. Amethod as set forth in claim 1 wherein before the step of saidauthentication server sending said group password to said user, saidauthentication server determining from an access list if said user isauthorized to receive said group password.
 4. A method as set forth inclaim 3 wherein before the step of said production server granting saiduser access to said file, said production server determining fromanother access list if said user is authorized to access said file.
 5. Amethod as set forth in claim 1 wherein before the step of saidproduction server granting said user access to said file, saidproduction server determining from an access list if said user isauthorized to access said file.
 6. A computer program product formanaging a production server, said computer program product comprising:computer readable media; first program instructions for execution in anauthentication server to send to said production server via a network agroup password for a GroupID to access a file in said production server;second program instructions, for execution in a workstation, to send viaa network to said authentication server an individual UserID andcorresponding individual password supplied by a user at said workstationand a request by said user at said workstation for said group passwordfor said GroupID to access a file in said production server protected bysaid group password; third program instructions, for execution in saidauthentication server, responsive to receipt of said individual UserIDand corresponding individual password supplied by said user and saidrequest by said user for said group password for said GroupID to accessa file in said production server protected by said group password, toauthenticate said individual UserID with said corresponding individualpassword and return to said workstation said group password for saidGroupID; fourth program instructions, for execution in said workstation,responsive to receipt of said group password from said authenticationserver, to enable said user at said workstation to send via a network tosaid production server said group password and GroupID and a request toaccess said file in said production server protected by said grouppassword; and fifth program instructions, for execution in saidproduction server, responsive to receipt from said user of said grouppassword and GroupID and said request to access said file in saidproduction server protected by said group password, to authenticate saidGroupID with said group password and grant said user access to saidfile; and wherein said first, second, third, fourth and fifth programinstructions are stored on said media in functional form.
 7. A computerprogram product as set forth in claim 6 further comprising sixth programinstructions, for execution in said authentication server, to enable anadministrator to specify said group password to said authenticationserver for said GroupID, such that the specified group password replacesa previous group password for said GroupID; and wherein said sixthprogram instructions are stored on said media in functional form.
 8. Acomputer program product as set forth in claim 6 further comprisingsixth program instructions, for execution in said authentication server,to determine from an access list that said user is authorized to receivesaid group password; and wherein said sixth program instructions arestored on said media in functional form.
 9. A computer program productas set forth in claim 9 further comprising sixth program instructions,for execution in said production server, to determine from an accesslist that said user is authorized to access said file; and wherein saidsixth program instructions are stored on said media in functional form.10. A computer program product as set forth in claim 6 furthercomprising sixth program instructions, for execution in said productionserver, to determine from an access list that said user is authorized toaccess said file; and wherein said sixth program instructions are storedon said media in functional form.
 11. A computer system for managing aproduction server, said computer system comprising: means within anauthentication server for sending to said production server via anetwork a group password for a GroupID to access a file in saidproduction server; means within a workstation for sending via a networkto said authentication server an individual UserID and correspondingindividual password supplied by a user at said workstation and a requestby said user at said workstation for said group password for saidGroupID to access a file in said production server protected by saidgroup password; means within said authentication server, responsive toreceipt of said individual UserID and corresponding individual passwordsupplied by said user and said request by said user for said grouppassword for said GroupID to access a file in said production serverprotected by said group password, for authenticating said individualUserID with said corresponding individual password and returning to saidworkstation said group password for said GroupID; means within saidworkstation, responsive to receipt of said group password from saidauthentication server, for enabling said user at said workstation tosend via a network to said production server said group password andGroupID and a request to access said file in said production serverprotected by said group password; and means within said productionserver, responsive to receipt from said user of said group password andGroupID and said request to access said file in said production serverprotected by said group password, for authenticating said GroupID withsaid group password and granting said user access to said file.
 12. Acomputer system as set forth in claim 11 further comprising means withinsaid authentication server, for enabling an administrator to specifysaid group password to said authentication server for said GroupID, suchthat the specified group password replaces a previous group password forsaid GroupID.
 13. A computer system as set forth in claim 11 furthercomprising means within said authentication server, for determining froman access list that said user is authorized to receive said grouppassword.
 14. A computer system as set forth in claim 11 furthercomprising means within said production server for determining from anaccess list that said user is authorized to access said file.
 15. Acomputer system as set forth in claim 11 further comprising means withinsaid production server for determining from an access list that saiduser is authorized to access said file.